Slashdot Mirror
Hackers Find Bugs, Extort Ransom, Call It a Public Service (threatpost.com)
Reader msm1267 shares a report on ThreatPost about an ongoing security trend: Crooks breaking into enterprise networks are holding data they steal for ransom under the guise they are doing the company a favor by exposing a flaw. The criminal act is described as bug poaching and is becoming a growing new threat to businesses vulnerable to attacks.
Hackers are extorting companies for as much as $30,000 in exchange for details on how hackers broke into their network and stole data. Researchers say once the intruders steal the data, there's no explicit threat that they will break in again or release data if companies don't pay. Instead, attackers release a simple statement demanding payment in exchange for details on how to fix the vulnerability
Typical bug poaching incidents start with criminals breaking into a network and stealing as much sensitive data as they can. Next, they post the data to a third-party cloud storage service. Lastly, the attackers email the company links to the data as proof the information was stolen and ask for a wire transfer of money in exchange for how the data was stolen.
During the attack, victims are not threatened with the public release of their data, instead attackers simply send a message that reads: "Please rest assured that the data is safe with me. It was extracted for proof only. Honestly, I do this job for a living, not for fun."
Hackers are extorting companies for as much as $30,000 in exchange for details on how hackers broke into their network and stole data. Researchers say once the intruders steal the data, there's no explicit threat that they will break in again or release data if companies don't pay. Instead, attackers release a simple statement demanding payment in exchange for details on how to fix the vulnerability
Typical bug poaching incidents start with criminals breaking into a network and stealing as much sensitive data as they can. Next, they post the data to a third-party cloud storage service. Lastly, the attackers email the company links to the data as proof the information was stolen and ask for a wire transfer of money in exchange for how the data was stolen.
During the attack, victims are not threatened with the public release of their data, instead attackers simply send a message that reads: "Please rest assured that the data is safe with me. It was extracted for proof only. Honestly, I do this job for a living, not for fun."
If it's genuinely not about the money, demand that the company donate the specified amount to a specified charity.
This space intentionally left blank
Technically, prosecutors can't charge blackmail because they haven't said your data will be exposed unless you pay. They are only asking to be paid for how to patch the security flaw. (White hacking + data extraction) Of course the idea is to add "incentive" with the data being in public, unauthorized space. But they haven't said it would be leaked unless payment is given (or only take it down on the same terms). Of course the victim could turn that around and say, "before we discuss the merit of your services, let's say you remove all files the files I own from your server, allow me access that I may be satisfied to the fact it is destroyed and no spare copies exist, you tell me how your broke into my system and how to patch it up and in exchange I don't send your name, and your communications to me to the cyber crimes division of the FBI, it's a bargain considering the alternative, and some free advice in return for your assistance...stop short of actually stealing files before asking for a fee for your proactive "good citizenry". Appreciate your efforts".
"Imagination is more important than knowledge" - Einstein